Updating NTP Servers

As always when you’re running own services you should update them regularly to have all known bugs fixed and security issues thwarted. Same for NTP servers based on Linux, as in my case running on Raspberry Pis. Especially when you’re actively joining the NTP pool project with your NTP servers you have to update them to the latest version of ntp since you might be misused for well-known DDoS attacks or other security related bugs.

So, what’s this all about? You can simply do an “apt-get upgrade”, don’t you? Well, unluckily the ntp packages within the Linux distributions are not always updated to the latest versions. Hence you need to compile the ntp software by yourself to have the latest release running. Still not that hard, though it requires a bit more attention.

This article is one of many blogposts within this NTP series. Please have a look!

In this post I am showing how to update a Raspberry Pi with ntp, while I am *not* using the ntp package from the Raspbian distribution, but compiling it by myself. If you’re operating an NTP appliance such as the ones from Meinberg, you must not use these procedures but their official firmware updates.

Before updating you should write down the current versions to compare them with the newer ones later on. In this case the Linux kernel as well as the ntp version:

1

2

3

4

5

pi@ntp2:~$uname-a

Linux ntp24.4.26+#915 Thu Oct 20 17:02:14 BST 2016 armv6l GNU/Linux

pi@ntp2:~$ntpq-cversion

ntpq4.2.8p9@1.3265-oWed Dec715:39:06UTC2016(1)

Backups!

This is very important: Make a backup of everything you have done so far to an external location! Especially configuration files. As I am using ntp with static IP addresses, NTP authentication as well as SNMP for monitoring them (have a look at my other NTP blogposts), I have to save at least the following config files:

1

2

3

4

/etc/network/interfaces

/etc/ntp.conf

/etc/ntp.keys

/etc/snmp/snmpd.conf

For example you can create a folder, copy those files, changing some ownerships and saving them via SCP to your remote location:

1

2

3

4

5

6

7

8

cd~

mkdirNTP-Backup-DATE-OF-TODAY

cp/etc/network/interfaces~/NTP-Backup-DATE-OF-TODAY/

cp/etc/ntp.keys~/NTP-Backup-DATE-OF-TODAY/

cp/etc/ntp.conf~/NTP-Backup-DATE-OF-TODAY/

sudo cp/etc/snmp/snmpd.conf~/NTP-Backup-DATE-OF-TODAY/

sudo chownpi:pi~/NTP-Backup-DATE-OF-TODAY/snmpd.conf

scp-r~/NTP-Backup-DATE-OF-TODAY/USER@REMOTE.SERVER.TLD:~/

Updating Linux/Raspbian

You should update the overall operating system as well. However, please verify before updating it that your ntp package is “on hold”. That means: It is NOT updated by the operating system (since those ntp packages tend to be old and outdated). If you have read my two tutorials about using a Raspi with GPS/DCF77, you already know what I’m talking about. Note the “h” in the very first column:

Now, in case of Debian based Linux derivatives you can do the upgrade with these two well-known commands:

1

2

sudo apt-getupdate

sudo apt-getdist-upgrade

Updating NTP

Since you want to update ntp to its latest release, you need to download it from its homepage. At the time of writing I updated my instance to version 4.2.8p10. Of course there are newer versions out there in the meantime.

In the second step you need to build the ntp package. Dependent of your stratum 0 source such as DCF77 or GPS, the configure command slightly differs:

1

2

3

4

#in case of DCF77:

./configure--enable-RAWDCF--prefix=/usr

#in case of GPS or a simple server without any stratum 0 source at all:

./configure--prefix=/usr

Followed by the actual build, installation and reboot. This might take some time, e.g. more than 1 hour on an old Raspberry Pi 1 B:

1

2

3

4

make

sudo service ntp stop

sudo makeinstall

sudo reboot

After your system is up again you can check the new versions of the kernel and ntp:

1

2

3

4

5

pi@ntp2:~$uname-a

Linux ntp24.9.24+#993 Wed Apr 26 17:56:54 BST 2017 armv6l GNU/Linux

pi@ntp2:~$ntpq-cversion

ntpq4.2.8p10@1.3728-oMon May1518:10:56UTC2017(1)

And, of course, you should also verify that your ntp server is up and running, for example with
ntpq -p.

Pitfalls

What I don’t like about remotely updating Linux servers is this:

Just updated two identical Raspberry Pis to its newest release. One lost its "predictable network interface names", falling back to eth0 instead of enxb827… Had to visit the datacenter w/ screen and keyboard. #hateit#fail#dontknowwhy

Hence: If your NTP server is crucial to your network, don’t update all your instances simultaneously but wait until the first one is updated successfully and running again.

Furthermore, if you have the chance to use serial TTY consoles to access your devices in case of a network/generic failure, do so. ;) I know, this might not be necessary for your hobby Raspberry Pi projects, but maybe for your NTP appliances such as the ones from Meinberg which offer an RJ45 serial connection port.